| Summary: | Fishing protection: KMail displays title in link not href | ||
|---|---|---|---|
| Product: | [Applications] kmail2 | Reporter: | Thomas Tanghus <thomas> |
| Component: | UI | Assignee: | kdepim bugs <kdepim-bugs> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | meyerm, montel |
| Priority: | NOR | ||
| Version: | 4.9.1 | ||
| Target Milestone: | --- | ||
| Platform: | Ubuntu | ||
| OS: | Linux | ||
| Latest Commit: | http://commits.kde.org/kdepim/d598e27a603cce276068898cf8d244f51b1003ce | Version Fixed In: | 4.10.2 |
| Sentry Crash Report: | |||
| Attachments: | Example fishing attempt mail. | ||
|
Description
Thomas Tanghus
2012-10-04 09:21:51 UTC
Created attachment 74328 [details]
Example fishing attempt mail.
And what do you want that we do ? Oh, I'm sorry if I didn't write that: Show the actual link in the href on hover instead of the title. Example anchor link (dunno if bugzilla allows markup?) <a href="http://http://rakibkhan.com/boWzhT98/index.html/" title="http://www.linkedin.com">Adjust your message settings.</a> On hover show the possibly malicious link http://http://rakibkhan.com/boWzhT98/index.html instead of http://www.linkedin.com I'm sorry to bother again, but I really think this is a grave security issue. MUAs should help protect users against fishing attempts, and currently KMail does the opposite. In Denmark we have a lot of mails spoofing e.g. the tax authorities addresses, and the general advice is to hover over the links in the mail to see where they point. I KMail this doesn't work, so you have to view the source of the mail. Sorry I didn't have time to do it. Will do it today or tomorrow. Will implement scam search feature for 4.11 Regards. Great! I didn't mean to bug you, it just looked like it wasn't a priority. Git commit d598e27a603cce276068898cf8d244f51b1003ce by Montel Laurent. Committed on 19/03/2013 at 16:51. Pushed by mlaurent into branch 'KDE/4.10'. Fix Bug 307818 - Fishing protection: KMail displays title in link not href FIXED-IN: 4.10.2 always shows url and not title M +0 -4 messageviewer/viewer_p.cpp http://commits.kde.org/kdepim/d598e27a603cce276068898cf8d244f51b1003ce Git commit a40573f3758643708da5051df438daf4704da678 by Montel Laurent. Committed on 20/03/2013 at 08:07. Pushed by mlaurent into branch 'master'. Implement scam detection. Now we have a warning when we detect that a message can be a scam. (for the moment we detect if an anchor has a title and it shows an url which is not the url define in href) We will improve it. M +9 -0 messageviewer/mailwebview.h M +15 -2 messageviewer/mailwebview_webkit.cpp M +17 -12 messageviewer/scamdetection/scamdetection.cpp M +3 -5 messageviewer/scamdetection/scamdetection.h M +5 -0 messageviewer/scamdetection/scamdetectionwarningwidget.cpp M +3 -0 messageviewer/scamdetection/scamdetectionwarningwidget.h M +1 -0 messageviewer/viewer_p.cpp M +4 -1 messageviewer/webkitparthtmlwriter.cpp http://commits.kde.org/kdepim/a40573f3758643708da5051df438daf4704da678 Thomas in 4.11 I created a scam detector. It's the beginning but I will add more check. Regards (In reply to comment #9) > Thomas in 4.11 I created a scam detector. > It's the beginning but I will add more check. This is awesome. More than I had asked for :) Now we have a widget to inform that message is perhaps a scam message. I will investigate more rules to check them. Regards Hey, that's really cool! Thank you! But please check out bug #324103 as this could lead to misunderstandings by people not being aware of technical details. |